Non-Global Zone Characteristics

A zone provides isolation at almost any level of granularity you require.
A zone does not need a dedicated CPU, a physical device, or a portion of physical
memory. These resources can either be multiplexed across a number of zones
running within a single domain or system, or allocated on a per-zone basis
using the resource management features available in the operating system.

Each zone can provide a customized set of services. To enforce basic
process isolation, a process can see or signal only those processes that exist
in the same zone. Basic communication between zones is accomplished by giving
each zone IP network connectivity. An application running in one zone cannot
observe the network traffic of another zone. This isolation is maintained
even though the respective streams of packets travel through the same physical
interface.

Each zone is given a portion of the file system hierarchy. Because each
zone is confined to its subtree of the file system hierarchy, a workload running
in a particular zone cannot access the on-disk data of another workload running
in a different zone.

Files used by naming services reside within a zone's own root file system
view. Thus, naming services in different zones are isolated from one other
and the services can be configured differently.